[jira] [Created] (TINKERPOP-2389) Authorization support in Tinkerpop

Thu, 25 Jun 2020 03:09:25 -0700 

Shekhar Bansal created TINKERPOP-2389:
-----------------------------------------

             Summary: Authorization support in Tinkerpop
                 Key: TINKERPOP-2389
                 URL: https://issues.apache.org/jira/browse/TINKERPOP-2389
             Project: TinkerPop
          Issue Type: Improvement
          Components: server
    Affects Versions: 3.4.7
            Reporter: Shekhar Bansal
         Attachments: Screenshot 2020-06-25 at 15.15.04.png

Use case:
 # Tinkerpop supports multiple graphs using single API and admin might want to 
restrict access to some of the graphs.
 # Admin might want to restrict read/write access on certain graph.

 

Proposal

Add read/write access restrictions at graph level. We can extend it to 
executing scripts by adding execute privileges.

 

Changes required

Add `authorizer` block similar to `authentication` block in yaml file

 
{code:java}
authorization: {
  authorizer: 
org.apache.tinkerpop.gremlin.server.authorization.AllowAllAuthorizer,
  authorizationHandler: 
org.apache.tinkerpop.gremlin.server.handler.SaslAuthorizationHandler,
  config: {
   }
}{code}
 

Authorization will be done only if authentication is enabled. Authentication is 
done at per session basis while authorization will be done for each and every 
request.

In `SaslAuthorizationHandler` or `HttpAuthorizationHandler` query will be 
parsed and depending on the step instructions, the query will be marked as of 
type read or write and then privilege evaluation will be done by calling 
`isAccessAllowed` method of `Authorizer`
{code:java}
public interface Authorizer {
    /**
     * Whether or not the authorization requires check.
     * If false will not authorzie user.
     */
    public boolean requireAuthorization();

    /**
     * Setup is called once upon system startup to initialize the {@code 
Authorizer}.
     */
    public void setup(final Map<String, Object> config);

    /**
     * A "standard" authorization implementation
     */
    public boolean isAccessAllowed(AuthorizationRequest authorizationRequest) 
throws AuthorizationException;

}
{code}
Access policies can be defined in tools like `Apache Ranger`, sample policy:

!Screenshot 2020-06-25 at 15.15.04.png!

 

 

 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to